Summary:
Coinbase Cartel is a data extortion intrusion set first observed in September 2025 that has claimed approximately 143 victims across multiple countries and sectors. The group operates a dedicated leak site, relies on stolen data rather than ransomware encryption, and appears to obtain network access through partnerships with Initial Access Brokers (IABs), valid stolen credentials, and possible supply chain compromises. Research links the operation to threat actor g77 and suggests that Coinbase Cartel is a rebranding of the DataVault leak operation. Targeted platforms include Windows, Linux, and Apple macOS environments.
Technical Description:
Coinbase Cartel emerged in September 2025 and has since listed approximately 143 victims on its dedicated data leak site, targeting organisations across North America, Europe, and the Asia-Pacific region. Affected sectors include finance, healthcare, legal, technology, and retail. The group is assessed to be a rebranding of the DataVault leak operation based on overlapping infrastructure, victim profiles, and operational patterns. Threat actor g77 is linked to the leadership of the operation. Unlike traditional ransomware groups, Coinbase Cartel does not deploy encryption; instead, it exfiltrates sensitive data and threatens public exposure unless a ransom is paid, a model known as pure extortion or data-only ransomware.
Access is primarily obtained through three vectors: Initial Access Brokers – the group purchases or partners with IABs that sell pre-established footholds in victim networks, including VPN credentials, Remote Desktop Protocol (RDP) access, and compromised endpoint sessions; Valid credentials – credentials that are phished, purchased from stealer malware logs, or obtained through credential stuffing attacks against internet-facing authentication portals; and Supply chain compromise – suspected in certain cases where the initial entry point has not been identified through standard IAB or credential-based vectors. Post-access activity involves network reconnaissance, lateral movement, and bulk data exfiltration before the victim is notified. Data hosted on the leak site includes internal documents, financial records, customer PII, and authentication data.
Delivery and Infection Chain:
- Access via Initial Access Broker: Coinbase Cartel purchases access from an IAB that has previously compromised a target through phishing, exploitation of internet-facing vulnerabilities, or the deployment of stealer malware. The IAB provides session cookies, VPN credentials, or RDP access. The Coinbase Cartel operator uses this access to authenticate as a legitimate user and begins reconnaissance across the victim network without triggering initial access alerts.
- Credential-based access: Valid credentials obtained from stealer malware logs (e.g., RedLine, Lumma, or Vidar) or phishing campaigns are used to authenticate to Microsoft 365, VPN portals, remote access systems, or cloud management consoles. Multi-factor authentication bypass may be attempted through MFA fatigue (push bombing), adversary-in-the-middle (AiTM) phishing proxies, or SIM swapping against high-value accounts. Once inside, the operator maps accessible file shares, cloud storage, and databases before initiating data exfiltration.
- Post-access lateral movement and data staging: Following initial access, the operator uses legitimate tools (e.g., WMI, PsExec, RDP, and SMB) to move laterally throughout the victim environment in search of high-value data repositories. Targeted data includes financial records, HR and payroll files, legal documents, M&A data, customer PII, and authentication databases. Data is staged locally and exfiltrated through cloud storage services (Mega, Rclone to cloud buckets) or direct file transfer to attacker-controlled infrastructure.
- Extortion phase: Once data exfiltration is confirmed, the victim organisation receives a ransom demand accompanied by proof-of-access evidence (sample files or screenshots). If the ransom is not paid within the stipulated timeframe, the data is published on the Coinbase Cartel leak site. The group has been observed incrementally releasing portions of stolen data to increase pressure. No encryption or file-locking activity has been observed; the leverage is based entirely on the threatened public exposure of stolen data.
Ease of Exploitation:
N/A (no CVE; access via stolen credentials and IABs) requires authentication (netadmin privileges), which somewhat limits the attack surface compared to unauthenticated flaws. However, netadmin credentials are commonly held by network operations staff, contractors, and shared service accounts, making insider threats and credential theft realistic entry paths. The file upload mechanism is a standard functional interface used during normal SD-WAN operations, making malicious requests difficult to distinguish from legitimate traffic without deep inspection. Confirmed active exploitation significantly increases the urgency of remediation.
Conclusion:
Coinbase Cartel represents a growing class of extortion-only threat actors that bypass ransomware deployment entirely and instead leverage IAB ecosystems, stealer malware credential markets, and pure data theft to generate financial pressure. With 143 confirmed victims and cross-sector targeting, the group poses a relevant threat to organisations across the UAE and MENA region with internet-facing remote access systems and cloud environments. The group's DataVault rebranding suggests operational continuity and an adaptive threat posture. Security teams should prioritise credential exposure reduction, MFA enforcement, data loss prevention, and the early detection of bulk data movement.
Impact:
Successful intrusion by the Coinbase Cartel results in the bulk exfiltration of sensitive organisational data, including customer PII, financial records, and internal documentation. Subsequent publication on the group's leak site results in reputational damage, potential regulatory breach notification obligations under the UAE PDPL, and the risk of secondary exploitation of exposed data by other threat actors. Organisations in the finance, legal, healthcare, and technology sectors face heightened regulatory exposure. The group's non-encryption model means operational disruption is not used as leverage, which may delay victim awareness and allow extended dwell time before discovery.
IOC and Context Details:
| Topics |
Details |
| Tactic Name |
Initial Access, Credential Access,
Collection, Exfiltration, Impact
|
| Technique Name |
Data Exfiltration and Extortion via
Initial Access Broker (IAB)-Sourced Access and
Valid Credentials (Coinbase Cartel / DataVault Rebrand)
|
| Sub Technique Name |
Obtain network access via Initial Access Brokers (IABs)
or stolen credentials →
Authenticate to VPN, RDP, or Microsoft 365 →
Move laterally using native operating system tools →
Identify and stage sensitive data →
Exfiltrate data using Rclone, Mega, or cloud storage →
Deliver ransom demand with proof of exfiltration →
Publish stolen data on the Coinbase Cartel leak site
if payment is not received.
|
| Attack Type |
Malware |
| Targeted Applications |
Microsoft Windows, Linux, Apple macOS;
internet-facing RDP, VPN, Microsoft 365,
and cloud portals serving as primary
entry points across all sectors.
|
| Region Impacted |
Global |
| Industry Impacted |
Finance, Healthcare, Legal,
Technology, Retail, Government;
global organizations including
UAE and MENA enterprises.
|
| IOC's |
IP Addresses:
142.11.233[.]42
185.196.220[.]114
45.227.254[.]14
193.56.28[.]93
Domains:
coinbase-cartel-support[.]top
fjg4zi4opkxkvdz7mvwp7h6goe4tcby3hhkrz43pht4j3vakhy75znyd[.]onion
datavault-egress[.]net
SHA256:
4a7c88b0a9d0e2e5f3c4b6a7f8e9d0c1b2a3f4e5d6c7b8a9f0e1d2c3b4a5f6e7
9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9d8c7b6a5f4e3d2c1b0a9f8e
bc34d8e5f7a2c1b9d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7
|
| CVE |
N/A |
Recommended Actions:
- Audit all internet-facing remote access entry points (VPN, RDP, Microsoft 365, and cloud management consoles) for accounts that do not have MFA enabled. Enforce phishing-resistant MFA (FIDO2 or hardware tokens) across all privileged and remote access accounts. Disable legacy authentication protocols that bypass MFA enforcement.
- Monitor stealer malware credential leak sources and dark web IAB marketplaces for references to your organisation's domains, IP ranges, or employee credentials. Use threat intelligence services to monitor Coinbase Cartel and DataVault-related leak site activity for mentions of your organisation.
- Deploy Data Loss Prevention (DLP) controls across endpoints and network egress points. Configure alerts for bulk file access, large-volume archive creation (ZIP/RAR), and unusual data transfers to cloud storage services, including Mega, Dropbox, personal OneDrive accounts, and unknown S3 buckets. Monitor for Rclone binary execution on endpoints.
- Implement and enforce network segmentation to limit opportunities for lateral movement. Ensure that file servers, databases, and cloud storage repositories are not directly accessible from user endpoints without additional access controls. Use Privileged Access Workstations (PAWs) for administrative activities.
- Integrate Endpoint Detection and Response (EDR) telemetry with your SIEM. Create detection rules for indicators of lateral movement, including PsExec and WMI remote execution, SMB enumeration, bulk file access across shared drives, and Rclone or other cloud synchronisation tool execution. Correlate these events with authentication logs for impossible travel or out-of-hours access.
- Conduct a credential hygiene review by rotating credentials for all service accounts, shared accounts, and privileged users. Cross-reference employee email addresses against known stealer malware log dumps using available threat intelligence. Prioritise password resets for accounts with known exposure.
- Develop and regularly test an incident response playbook for data exfiltration and extortion scenarios. Define escalation paths, legal counsel engagement, UAE PDPL regulatory notification timelines, and communication strategies in the event of data publication on a leak site. Ensure executive leadership understands the Coinbase Cartel threat model.
- If organisational data is identified on the Coinbase Cartel or DataVault leak site, immediately engage legal counsel, initiate a UAE PDPL breach assessment, and notify the NCA ECC where applicable. Preserve forensic evidence and engage a specialist incident response provider to determine the full scope of the intrusion and data exfiltration.
Reference:
https://www.group-ib.com/blog/coinbase-cartel/
https://www.oracle.com/security-alerts/cspujun2026verbose.html
https://blog.qualys.com/vulnerabilities-threat-research/2026/06/18/oracle-critical-patch-update-june-2026-security-update-review
https://www.tenable.com/blog/oracle-june-2026-critical-security-patch-update-addresses-243-cves-cve-2026-35273